The newest Payment Card Industry Data Security Standard was released this month, PCI DSS 3.0, and it is all about security instead of compliance.
That's according to a new report by Torsten George, vice president at Sunnyvale, CA-based security risk management vendor Agiliance, Inc.
The following are what George identifies as the top five changes in the standard:
The new standard is 24-7
The standard goes into effect on January 1. But while some of the requirements aren't mandated until July, companies shouldn't wait until then - or until their next audit - to start getting their house in order.
It makes no sense to have security systems in place and operational only while a company is being audited. The crooks, after all, aren't going to be polite and wait.
"An annual audit is not security, it's compliance," said Stephen Orfei, general manager at Wakefield, MA-based PCI Security Standards Council, LLC, which created the standard. "That's a checkbox mentality. Let's change the dialogue to one of security, and security has to be 24-7."
More education and awareness around passwords
Password management is one of the weaker areas for merchants, according to this year's Verizon report.
Using default passwords, weak passwords, reusing credentials for different systems or users, and not using two-factor authentication when appropriate are all still problems for many companies.
"You have default passwords being left behind and that's a huge vulnerability," said Orfei. "You have to have strong passwords, you have to change passwords, and make sure you have these routines daily. It's something you have to build into the DNA of the company, and you have to do it religiously."
Better vendor risk management
"A lot of attacks come through business partners or entities," said Orfei.
In the case of the Target breach, for example, the initial attack vector was the company's HVAC contractor.
Under the new standard, vendors must specify the specifics of the services that they are providing when they go through their PCI compliance checks, so that customers can confirm that they are in fact compliant for the things that the customers user them for.
The PCI Security Standards Council lists vendors and software that have already gone through reviews - but that doesn't mean that merchants can then stop worrying about them. They still need to ensure that the software and applications they use are implemented correctly, and that vendors are actually living up to the security promises they've made.
"You have to validate that things have been done properly," said Orfei.
New requirements for penetration testing
"We're advocating more pen testing," said Orfei.
Previously, the recommendation was an annual approach. Under the new standards, it's a quarterly recommendation, he said.
In addition, the new standard provides more information about what a penetration test should actually include.
"They've provided clarity - they've never before written it down," said Jeff Man, PCI security evangelist at Columbia, MD-based Tenable Network Security.
More systems covered
Previously, merchants could ignore systems that didn't hold card data or personally identifiable information.
Now, the PCI standard has expanded to include systems that say, might not actually store data, but would allow someone to look at data.
"This will result in more complex compliance assessments," said Agiliant's George in the report.